On Halloween night, Google discloses Chrome zero-day exploited in the wild
Yesterday, on late Halloween night, Google engineers delivered the best scare of the evening and released an urgent update for the Chrome browser to patch an actively exploited zero-day.
"Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild," Google engineers said in a blog post announcing the new v78.0.3904.87 release.
The actively-exploited zero-day was described as a use-after-free bug in Chrome's audio component.
Use-after-free vulnerabilities are memory corruption bugs that occur when an application tries to use memory space that is no longer assigned to it, after being freed and assigned to another app. This usually causes a program to crash, but can also sometimes lead to other, unintended consequences, such as code execution scenarios.
Google credited Anton Ivanov and Alexey Kulaev, two malware researchers from Kaspersky, with reporting the issue. According to a blog post published after this article's publication, Kaspersky said the zero-day was being used to install malware on user devices.
Per Kaspersky, the zero-day was found being deployed on user devices via a Korean-language news portal. The Russian antivirus company said it couldn't link the zero-day's use to a specific hacking group, although there are some code similarities with past North Korean malware. The company is tracking the current attacks using this zer-day under a codename of "Operation WizardOpium."
This is the second Chrome zero-day detected this year. Back in March, Google patched another Chrome zero-day (CVE-2019-5786 in Chrome 72.0.3626.121), which at the time was being used together with a Windows 7 zero-day (CVE-2019-0859, fixed in the April Patch Tuesday). In April, Kaspersky said both exploits were used together by a yet-to-be-named APT (a term used to describe a nation-state hacking group).
Chrome 78.0.3904.87 is available for Windows, Mac, and Linux. The release will slowly roll out to all Chrome users in the coming weeks but users can trigger a manual update right now by visiting the browser's Help > About Google Chrome section.